Tomcat is a servlet container for Java Servlet and JavaServer Pagestechnologies.

Tomcat was found to accept multiple content-length headers in arequest. This could allow attackers to poison a web-cache, bypass webapplication firewall protection, or conduct cross-site scripting attacks. (CVE-2005-2090)

Tomcat permitted various characters as path delimiters. If Tomcat was usedbehind certain proxies and configured to only proxy some contexts, anattacker could construct an HTTP request to work around the contextrestriction and potentially access non-proxied content. (CVE-2007-0450)

Several applications distributed in the JSP examples displayed unfilteredvalues. If the JSP examples are accessible, these flaws could allow aremote attacker to perform cross-site scripting attacks. (CVE-2006-7195,CVE-2006-7196)

The default Tomcat configuration permitted the use of insecureSSL cipher suites including the anonymous cipher suite. (CVE-2007-1858)

Directory listings were enabled by default in Tomcat. Information storedunprotected under the document root was visible to anyone if theadministrator did not disable directory listings. (CVE-2006-3835)

Users should upgrade to these erratum packages which contain Tomcat version5.5.23 that resolves these issues. Updated jakarta-commons-modelerpackages are also included which correct a bug when used with Tomcat 5.5.23.

4. Solution:

Note: /etc/tomcat5/web.xml has been updated to disable directory listing bydefault. If you have previously modified /etc/tomcat5/web.xml, this changewill not be made automatically and you should manually update the value forthe "listings" parameter to "false".

Before applying this update, make sure all previously released erratarelevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only thoseRPMs which are currently installed will be updated. Those RPMs which arenot installed but included in the list will not be updated. Note that youcan also use wildcards (*.rpm) if your current directory *only* contains thedesired RPMs.

Please note that this update is also available via Red Hat Network. Manypeople find this an easier way to apply updates. To use Red Hat Network,launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriateRPMs being upgraded on your system.